Privacy Policy
EPIC is committed to securing the fundamental right to privacy in the digital age for all people. Part of that commitment is strictly limiting the collection and processing of your personal data, and to the best of our abilities we will work only with other entities who do the same. EPIC will never sell or monetize your data.
There are a few limited instances in which we need to collect limited personal information about you.
1. Information collected when you sign up for our mailing lists
You may choose to voluntarily share your e-mail address with us when you sign up for the EPIC Alert or our press list. We will not rent, lease, or sell your e-mail address to third parties. We do not include any trackers in our e-mails.
We will, by necessity, share your email address with our email service provider, EmailOctopus. You can view EmailOctopus’s privacy policy here.
2. Information collected when you browse epic.org
Our website uses Matomo to analyze traffic, but does so without using any cookies or collecting personal data. We chose Matomo because of its commitment to privacy. The data we collect may include information about the device and software you use to access our website (user-agent header), the time of your visit, and the domain you were visiting before arriving at our website (from the referrer header). We have all privacy settings in Matomo set to the most privacy-protective option, including fully anonymizing IP addresses. You can view Matomo’s privacy policy here.
We host our Website on Pantheon, whose privacy policy is here, and we use Cloudflare to protect our website from bot traffic. You can view Cloudflare’s privacy policy here.
3. Information collected when you donate to EPIC
We also collect data from donors when they donate to support our work. As with all other personal information, we do not share, loan, trade, rent, or sell donor information to third parties.
Our credit card processor is Stripe, whose privacy policy is here. In order to comply with credit card processing requirements, epic.org includes third-party javascript from Stripe that may contain other tracking. However, this content is only loaded upon visiting the “Donate” page. We also offer Apple Pay on Apple devices.
We maintain records of donor giving. This information is stored so that EPIC can properly acknowledge gifts pursuant to applicable tax regulations and is also used by EPIC to understand giving histories and keep in touch with donors. This applies to donations and donor information received both online and offline. We use Beacon to host our donor information, a service based in the U.K. that we chose because of its privacy practices. In Beacon, we store your name, e-mail address, and giving history.
The Fine Print: Our Full Privacy Notice
PRIVACY COMMITMENT
The Electronic Privacy Information Center (“EPIC,” “we,” “our,” or “us”) is strongly committed to protecting your privacy rights. As part of that commitment, we want to be as clear as possible how about we collect and process your personal information and any third-party services we use. We process as little of your personal data as possible.
EPIC does not sell or rent any personal data that we process about you. Certain actions, such as donating to us or signing up for a newsletter, require processing by third parties and any personal data that you submit for these purposes will redirect to them and be governed by their privacy policies. These are listed and described in the “Third Parties” section below. We conscientiously select and review authorized third parties when possible and review their privacy and security policies. These authorized third parties may be engaged in, among other things, the processing of donations, technology support, or email outreach carried out in connection with our mission. Limited members of EPIC staff or the staff working for these third parties may also access and otherwise process your personal data in connection with their job responsibilities or contractual obligations.
EPIC will challenge any subpoena or other legal process seeking access to personal data that we hold about our website visitors, donors, mailing list members, or petition/campaign participants.
CONTROLLERSHIP
EPIC is the controller for all personal data processed for the purposes below. This means that we determine the purposes for which the personal data will be processed and respond to any questions or requests you have about the personal data. In some cases, third parties may process your personal data in order to assist us in fulfilling the processing purposes. These cases are described below. Where this occurs, the third party acts as a data processor and EPIC remains the data controller. The third parties process the data only at our instructions and for the specific purposes listed.
PERSONAL DATA
Personal data means any information that identifies you as an individual. This includes your name, email address, pictures of you, personal device ID, location, and more. EPIC collects only personal data necessary to allow you to access our website, donate to us, participate in petitions or campaigns, or receive EPIC email alerts. Below, we tell you what precise personal data elements are collected in each instance, what the personal data is used for, and the processing basis. You always have a choice of whether to provide us with your personal data, but we may be unable to provide certain services to you without it (for example, we cannot send you email alerts without your email address).
WEBSITE
EPIC makes information on its website freely available to Internet users without storing any personal data. We do not enable any cookies other than those strictly necessary to process your information for requested services (for example, if you click on a link to donate to EPIC) or for website functionality. Any third-party cookies – such as those used to process a donation – are solely for completing the requested action. We do not allow any tracking or advertisement cookies on our website. You may be able to change your browser setup to limit or reject cookies as well. For more information, please visit https://www.aboutcookies.org/.
DONATIONS
Personal Data Elements: In order to process your donation, we will process financial information, billing address, email address, and name if submitted. (EPIC also allows anonymous donations using major cryptocurrencies.)
Purpose(s): EPIC only processes the personal information necessary to process donations to EPIC, to send updates and fundraising requests to our donors, and to comply with applicable laws.
Processing Basis: Your personal data is processed regarding EPIC’s donation list solely as is necessary for our legitimate interests and where not overridden by your data protection interests or fundamental rights and freedoms. Our legitimate interests include accepting and facilitating financial and personal support for the organization and completing the actions that you have requested by submitting information for a donation.
You can read more about EPIC’s work to defend donor privacy here.
EPIC EMAIL ALERTS
Personal Data Element(s): In order to send you our EPIC Alert newsletter or other email notifications that you sign up for, we will process your email address. Please note that we do not require the email address you provide to be linked to an actual identity.
Purpose(s): We collect your email address in order to send you the EPIC Alert newsletter or press updates, send notices about EPIC activities, and request support for EPIC’s work. We will only send you our newsletter when you sign up to receive it by submitting your email address. You can unsubscribe from this newsletter at any time by clicking the “Unsubscribe” link contained in the newsletter email. You can also read the EPIC Alert by visiting the EPIC Alert archive at our web site if you prefer not to provide an email address. We do not enhance (link to other databases) our mailing list or require your actual name.
Processing Basis: We only process data necessary to our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. Our legitimate interests include educating subscribers and the public about emerging privacy and civil liberties issues, promoting EPIC’s activities, supporting EPIC, and providing you with information that you have requested. We have also deactivated tracking features in EmailOctopus (our email list vendor) and require “double opt-in” for subscriptions. We include links to modify or cancel your subscription in every message to the EPIC Alert and press mailing lists.
PETITIONS, EVENTS, AND CAMPAIGNS
Personal Data Elements: When you sign on to petitions or campaigns or register for events, we will process your name (made public on these documents when you choose to provide them) and email address (not made public).
Purpose(s): We may use your email address to contact you for purposes related to the event, petition, or campaign. In the event that any information provided will be made public (such as when you sign a petition), we will notify you on the form prior to submission.
Processing Basis: Your personal data is processed regarding petitions, events, and campaigns solely as is necessary to our legitimate interests and where not overridden by your data protection interests or fundamental rights and freedoms. Our legitimate interests include facilitating your participation in the event or your support for the petition or campaign.
YOUR PERSONAL DATA RIGHTS
You have certain rights regarding your personal data, including the right to confirm whether or not we are processing your personal data. In the event you wish to view, receive a copy of, update, correct, or delete an email address, a donor record, or any other personal data in EPIC’s possession at any time for any reason, please contact privacy-contact [at] epic [dot] org to take those actions. If you feel that your rights are not being adequately respected or adhered to, you also have the right to lodge a complaint with your supervisory authority.
THIRD PARTIES
EPIC limits third party processing to the following, used only as strictly necessary to deliver the requested services:
Website visitors
- Pantheon.io, for website hosting and deliver
- Cloudflare, to protect our website against bot traffic
- Matomo, to analyze website traffic.
Donors and Event Registrants
- Stripe, for payment processing
- Apple Pay, for payment processing
- BeaconCRM, for event ticketing and maintaining donor records
- SendGrid, for e-mail delivery to donors
- Zapier, to automate delivery of e-mail receipts
- hcapatcha, for security on some donation forms
EPIC Alert and press list subscribers, Members
- EmailOctopus, for delivery of the EPIC Alert, press e-mails, and emails to EPIC Members
DATA RETENTION
We will retain any personal data that we process for as long as necessary to complete the purpose of processing. Once the purpose of processing has been completed, we delete raw user data after 18 months.
DATA TRANSFER
In the event that you are providing your personal data to us from outside the United States, we want you to be aware that we make every effort to employ appropriate safeguards related to your data appropriate to the sensitivity of the data in question, but that there is a small chance that your data could be requested or intercepted by the U.S. government. EPIC intends to challenge any subpoena or other legal process seeking access to personal data that we hold and to inform you of any such requests where we can legally do so. Your data is transferred to us as necessary for the performance of a contract between you and EPIC—namely, in order to allow EPIC to deliver to you the applicable service you have requested as described above. If you are an European Economic Area resident and wish to report any concerns or further exercise your rights, contact information for European data protection authorities can be found here. For residents of any other country concerned about our data transfer practices, please reach out to us with any questions at:
privacy-contact [at] epic [dot] org.
QUESTIONS?
For any other information about our privacy policy, or to exercise your privacy rights, please contact us at privacy-contact [at] epic [dot] org.
This policy was updated on July 26, 2024.
View a PDF of tracked changes to this privacy policy here.